Cloudy with a chance of non-compliance

Compliance, along with security and privacy, is a big topic when firms consider cloud services. I recently did a Forrester Webinar on the topic of compliance for cloud computing. This blog entry is a recap of the Webinar.

In terms of compliance for cloud services, there are four categories of issues of concern:

  • Where: Geographically-related issues
  • How: This is about operational details that affect compliance
  • Audit: Show me evidence that you can help me achieve compliance
  • Others: Everything that doesn’t fit into the above categories

For the “where” category, you need to be conscientious of the following aspects:

  • Datacenter locations
  • Implications of local laws and regulations (where the datacenters are operating)
  • Third-party access: Does the vendor use any “third-party” resources that may affect the locations of relevant data?

We recently helped a client evaluate the business suitability of a SaaS provider. In the course of doing so, we discovered that the SaaS vendor used a third-party backup service to back up their logs. Although the SaaS provider is located entirely in the US, the backup service provider is not. Therefore there is a question of whether my client’s logs will get stored in a datacenter outside the country. This made my client uneasy.

The “How” category is the biggest and most comprehensive, as it includes many operational aspects. For example, along with other aspects, you need to consider:

  • Do the datacenter’s operations meet the specific regulatory requirements that you have (e.g., is it PCI compliant -- audited by a PCI QSA?)
  • Does the provider have a compliance management program?
  • Does the provider have a DR/BC plan that is consistent with my requirements?
  • Does the provider’s data breach/incident handling procedure meet your requirements?
  • Is the data center SAS 70 Type II certified?

The “Audit” category deals with the procedure of audits, framework of audits, whether or not the provider can supply adequate audit evidence or agree to a third-party audit.

In addition, you need to consider eDiscovery and enterprise investigation support. Too often enterprises tell me that cloud providers do not let them be the administrator of their data living in the cloud. You need to ask your vendor what support they will provide for discovery and investigation purposes, such as any restrictions on access to data, means of access to data (self servicing vs. manual), responsiveness to discovery requests, flexibility to data access, etc.

Finally, third party is often the “fly in the ointment” -- even when you are satisfied with every aspect that you can conceivably think of with respect to your cloud provider’s operations. You need to understand whether they use any third party in a way that impacts your compliance status (see the example I listed above). Everything we talked about so far applies to third party accesses.

In the next 90 days, we recommend that you form a cloud game plan, which looks like the following (for compliance aspects):

  • First step, gather legal and regulatory requirements, involve legal/compliance/risk officers early
  • Second, conduct a high-level feasibility study based on these requirements
  • If the feasibility study indicates a preliminary green light, then perform detailed evaluation (based on the “where,” “how,” “audit” framework here)
  • Require audits when in doubt, embed recourse actions in your contracts, and engage trusted third-party assessment services.

For details, please refer to the Webinar recording.


re: Cloudy with a chance of non-compliance

Dr. Wang,

When the consumer of the Cloud Service is not in a direct contractual relationship with each party of the service stack that might be considered to have custody of its data, there is always a risk of non-compliance. However, I don't like the idea of the consumer signing a contract with each and every party involved in the service stack. That will be a legal dept. (outside counsel’s) dream come true. Think of all the billable hours. The beauty of the Cloud Computing paradigm is that the customer doesn't have to worry about the exact location of the data, as long as the provider can guarantee the Confidentiality, Integrity and the Availability of the Data and Logs. In fact I prefer that the contract between the customer and the cloud computing provider doesn't include the clause about the exact location of the data. This gives the provider the agility and nimbleness during disaster recovery.

Confidentiality needs to be addressed. But I don't think taking apart the service at each layer before signing the contract is the way to go. We need to explore other ways of ensuring Confidentiality. One way to ensure confidentiality of the backup logs you mentioned in your post would be to encrypt them before shipping them off for backup or use a host-proof hosting encrypted vault. That way the exact location of the backup won’t be an issue.

Just my $0.02.